Pen Testing with Distributed Password Recovery and GPUs

March 19th, 2009 by Katerina Korolkova, PR Director

The German c’t magazine (issue 06/09) has published an article about cracking of NTLM-hashes with graphic cards. In this article pen test experts from SySS GmbH bring up a touchy question of how fast an intruder can break into your system. How long should your Windows logon password be, so that you could keep having your beauty sleep?

Elcomsoft Distributed Password Recovery was run on dual-core AMD Athlon X2 4850e, 2.5 GHz, with Nvidia GeForce 9800 GTX installed. The cost of the test system is worth the effort. One can fetch it for only $1K.

Now, what is the outcome?
6-character passwords consisting of lowercase and uppercase characters and digits were found in less than a minute. Obviously, 6-character passwords are insecure, and it’s not a surprise after all.

Employees within an organization are normally forced to use at least 8 characters, and 8-character passwords do they use because remembering longer passwords is painful enough. When you use 8-character password with all possible combinations of special symbols, uppercase and lowercase letters and digits, the time required for recovery is 82 days. However, authors say, it is reasonable to shrink the number of tested special symbols to 22 (i.e. _@#$&+-=%*”~!?.,:;()<>) that are preferred by the majority of users. Time needed to recover 8-character password consisting of upper/lowercase letters, digits and 22 most common symbols is 33 days.

The question is how much would it cost for an attacker to brute-force NTLM-hashes, find the correct password and break into your system in one day. The authors estimated that in this case an attacker needs to invest at least 50,000 euro for powerful graphic adapters, plus electricity and cooling costs.

So, do not forget to change your Windows password every 30 days. And thank you for your tests, guys.

One Response to “Pen Testing with Distributed Password Recovery and GPUs”

Garrett, could you explain please? What exactly is incorrect? What type of password has been cracked (in less than 40 second)? I should say that it is NOT possible for NTLM authentication. The following number of passwords in the given range is:

(26 + 26 + 10) ^ 12 = 3,226,266,762,397,899,821,056

Single Tesla (S1070) can test about 3 billion passwords per second. Even assuming that your “alfa” software is faster and makes 5 billion p/s, and you have as many as 1000 Tesla units — trying all possible 12-character mized alphanumeric passwords will take about 20 years.

If old-style LM authentication has been used, everything is much simpler, though — passwords are not case-sensitive, and limited to 14 characters (divided into two 7-character parts). To crack *ANY* LM password, Tesla is not needed at all — usual desktop PC is enough.